[17577] in Kerberos_V5_Development
Re: suggestion for locating master kdc logic
daemon@ATHENA.MIT.EDU (Will Fiveash)
Mon Apr 9 15:44:53 2012
Date: Mon, 9 Apr 2012 14:44:39 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: Nico Williams <nico@cryptonector.com>
Message-ID: <20120409194439.GB2566@oracle.com>
Mail-Followup-To: Nico Williams <nico@cryptonector.com>,
Sam Hartman <hartmans@mit.edu>, krbdev@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAK3OfOgg8hY_voC3Q1DsT0ZJEvTLCMS6mpK0u93YLcwgdHdR4w@mail.gmail.com>
Cc: Sam Hartman <hartmans@mit.edu>, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, Apr 09, 2012 at 09:34:14AM -0500, Nico Williams wrote:
> On Mon, Apr 9, 2012 at 7:16 AM, Sam Hartman <hartmans@mit.edu> wrote:
> > So, whether it makes sense to go to a master KDC is a property of a
> > realm.
>
> Yes. Fallback to master for initial authentication should definitely
> be a separate parameter, regardless of whether a mater/admin/kpasswd
> server(s) is(are) specified.
If my proposed realm config parameter try_admin_server_on_err (or
whatever it should be named) is implemented then the admin would have
complete control over the fall-back behavior. Note the following
examples are for a client sending initial auth request to a KDC:
# By default would fall back to try admin_server (using default KDC
# port) if receiving an invalid password or princ not found error from
# kdc1.
FOO.COM = {
kdc = kdc1.foo.com
admin_server = kdc3.foo.com
}
# Would immediately fail on receiving an invalid password or princ not
# found error from kdc1.
FOO.COM = {
kdc = kdc1.foo.com
try_admin_server_on_err = false
admin_server = kdc3.foo.com
}
# Would fall back to trying master_kdc using port 45001 on receiving an
# invalid password or princ not found error from kdc1. admin_server
# would never be used for fall back for the error condition described
# above.
FOO.COM = {
kdc = kdc1.foo.com:45001
master_kdc = kdc2.foo.com:45001
admin_server = kdc3.foo.com:45002
}
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
